Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ocsp: misleading diagnostic on cert mismatch #19540

Closed
philpennock opened this issue Mar 14, 2017 · 3 comments
Closed

x/crypto/ocsp: misleading diagnostic on cert mismatch #19540

philpennock opened this issue Mar 14, 2017 · 3 comments

Comments

@philpennock
Copy link

@philpennock philpennock commented Mar 14, 2017

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.8 freebsd/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="freebsd"
GOOS="freebsd"
GOPATH="/home/pdp/go"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/freebsd_amd64"
GCCGO="gccgo"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -gno-record-gcc-switches"
CXX="clang++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"

What did you do?

I used my tool go.pennock.tech/smtpdane to check the status of the certificate on my SMTP server, with OCSP checks enabled; the OCSP logic uses golang.org/x/crypto/ocsp. In cron, smtpdane -q -expect-ocsp -mx spodhuis.org is invoked; for a period of time it reported:

OCSP: response invalid for mx.spodhuis.org from Let's Encrypt Authority X3:
        unsupported issuer hash algorithm

The second line there is straight from the OCSP library and is the error returned when OCSP validation failed.

It turns out, my automated Let's Encrypt renewal needed to also invoke the OCSP renewal instead of leaving it to cron. Obvious in retrospect.

What unsupported issuer hash algorithm actually meant in this context was OCSP staple not for this certificate.

What did you expect to see?

A diagnostic message pointing reasonably to how I had messed up and the nature of the cryptographic failure.

What did you see instead?

A bogus message about unsupported issuer hash algorithm. The hash algorithm was fine.

@bradfitz bradfitz changed the title x/crypto/ocsp misleading diagnostic on cert mismatch x/crypto/ocsp: misleading diagnostic on cert mismatch Mar 21, 2017
@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Mar 21, 2017

/cc @agl

@bradfitz bradfitz added this to the Unreleased milestone Mar 21, 2017
@agl agl self-assigned this Mar 24, 2017
@agl
Copy link
Contributor

@agl agl commented Mar 24, 2017

That does seem unhelpful. /cc @kreichgauer

@gopherbot
Copy link

@gopherbot gopherbot commented May 24, 2017

CL https://golang.org/cl/44005 mentions this issue.

@golang golang locked and limited conversation to collaborators Jun 1, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.